Electronics > Projects, Designs, and Technical Stuff

Reverse Engineering central heating wireless thermostat - help needed!

<< < (4/9) > >>

mark03:
You could reverse-engineer the air interface on the cheap using an RTL-SDR type of dongle and [free] GNU Radio software.  But it may not be worth the investment of time.

ataradov:

--- Quote from: mark03 on December 02, 2015, 07:10:17 pm ---You could reverse-engineer the air interface on the cheap using an RTL-SDR type of dongle and [free] GNU Radio software.
--- End quote ---
Why would you want to do that? The radio is a standard IEEE 802.15.4 transceiver, there are proper sniffers for this already in existence. But if OTA communication is properly encrypted, sniffing it makes no difference.

philpem:

--- Quote from: ataradov on December 02, 2015, 06:58:06 pm ---
--- Quote from: philpem on December 02, 2015, 06:52:55 pm ---Make the thermostat turn the boiler on. See what it sends to the RF chip. Repeat for boiler off.
--- End quote ---
Properly designed protocols will use sequence numbers for duplicate detection and replay attacks (which is what you are trying to do here).

I work at Atmel and support those chips. I know what I'm talking about. The only way reverse-engineering will be simple if you are in luck and the protocol used is some custom simple protocol.  Even if they went with basic IEEE 802.15.4 MAC, then sniffing the SPI and replaying the results will achieve absolutely nothing.


--- Quote from: philpem on December 02, 2015, 06:52:55 pm --- which helpfully wasn't JTAG-locked!  >:D
--- End quote ---
Again, you need a lot of luck for this to happen.

--- End quote ---

I think you're overestimating the average consumer electronics company manager. Quoting one of these beasts from some time ago...

"Who's going to hack a <x>? It's not like it's a military radio or... or a Patriot missile or... something like that! Stop wasting time on that, just make it work, as quickly as possible! We need to get a product out the door faster than <competitor>!"

I would be legitimately stunned if that thermostat -- almost an entry-level wireless 'stat -- is running a full Zigbee stack. They want a short development cycle and a cheap product. This is hardly a Nest. At best they'll have grabbed some Atmel sample code and used that.

The most they'll want is "on" and "off", anti-collision (CSMA-CA or CSMA-CD) and an ID/pairing to make sure multiple nearby transmitters can't be misidentified.

But really, all the OP wants to do is get the key and MAC for his thermostat and the packet format.
Looking at the AT86RF212 datasheet, the key is set with an SRAM write. So that's volatile -- the MCU will have to write it on every power-up. Same goes for the transmit buffer.
Transmit frequency, modulation settings, keys, MAC address, etc. can all be determined from SPI writes.

As for sequence IDs -- look at a dozen or so packets. I think the MT10RF has a mod-3 counter or something like that. Sequence IDs usually follow a fairly obvious sequence. Humans (like engineers, no matter how much we deny it!) like obvious sequences, they're easy to remember and easy to test.

Cheers,
Phil.

mark03:

--- Quote from: ataradov on December 02, 2015, 07:12:37 pm ---
--- Quote from: mark03 on December 02, 2015, 07:10:17 pm ---You could reverse-engineer the air interface on the cheap using an RTL-SDR type of dongle and [free] GNU Radio software.
--- End quote ---
Why would you want to do that? The radio is a standard IEEE 802.15.4 transceiver, there are proper sniffers for this already in existence. But if OTA communication is properly encrypted, sniffing it makes no difference.

--- End quote ---
I'm assuming a "proper sniffer" costs well over the $20 one those dongles will set you back.

ataradov:

--- Quote from: mark03 on December 02, 2015, 08:14:30 pm ---I'm assuming a "proper sniffer" costs well over the $20 one those dongles will set you back.
--- End quote ---
$50 at least. Do you have a link to a $20 SDR receiver?

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod